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Abstract — Secure multi-party computation is a central problem 
in modern cryptography. An important sub-class of this are 
problems of the following form: Alice and Bob desire to produce 
sample(s) of a pair of jointly distributed random variables. 
Each party must learn nothing more about the other party's 
output than what its own output reveals. To aid in this, they 
have available a set up — correlated random variables whose 
distribution is different from the desired distribution — as well 
as unlimited noiseless communication. In this paper we present 
an upperbound on how efficiently a given set up can be used to 
produce samples from a desired distribution. 

The key tool we develop is a generalization of the concept 
of common information of two dependent random variables 
[Gacs-Korner, 1973]. Our generalization — a three-dimensional 
region — remedies some of the limitations of the original 
definition which captured only a limited form of dependence. 
It also includes as a special case Wyner's common information 
[Wyner, 1975]. To derive the cryptographic bounds, we rely on a 
monotonicity property of this region: the region of the "views" 
of Alice and Bob engaged in any protocol can only monotonically 
expand and not shrink. Thus, by comparing the regions for the 
target random variables and the given random variables, we 
obtain our upperbound. 

I. Introduction 

Finding a meaningful definition for the "common informa- 
tion" of a pair of dependent random variables X and Y has 
received much attention starting from the 1970s [6], [16], [19], 
[1], [21]. We propose a new measure — a three-dimensional 
region — which brings out a detailed picture of the extent 
of common information of a pair. This gives us an expressive 
means to compare different pairs with each other, based on the 
shape and size of their respective regions. We are motivated 
by potential applications in cryptography, game theory, and 
distributed control, besides information theory, where the role 
of dependent random variables and common randomness is 
well-recognized. 

Suppose X = (X^Q) and Y = where X\Y\Q 

are independent. Then a natural measure of "common infor- 
mation" of X and Y is H{Q). Both an observer of X and an 
observer of Y may independently produce the common part 
Q; and conditioned on Q, there is no "residual dependency," 
i.e., I{X;Y\Q) = 0. The definition of Gacs and Korner [6] 
generalizes this to arbitrary X, Y (Fig. 1(a)): the two observers 
now see = (Xi, . . . , X^) and = (Yi, . . . , F^), resp., 
where (X^,Fi) pairs are independent drawings of (X, F). 
They are required to produce random variables Wi = fi{X'^) 
and W2 = /2(F^), resp., which agree (with high probability). 
The largest entropy rate (i.e., entropy normalized by n) of such 



a "common" random variable was proposed as the common 
information of X and Y. However, in the same paper [6], 
Gacs and Korner showed (a result later strengthened by 
Witsenhausen [16]) that this rate is still just the largest H{Q) 
for Q such that X and Y can be written as {X\ Q) and {Y' ^ Q) 
respectively.^ In other words, this definition captures only an 
explicit form of common information in (a single instance of) 

One limitation of the common information defined by Gacs 
and Korner is that it ignores information which is almost 
common. Our approach could be viewed as a strict generaliza- 
tion of theirs which uncovers extra layers of "almost common 
information." Technically, we introduce an omniscient genie 
who has access to both the observations X and Y and 
can send separate messages to the two observers over rate- 
limited noiseless links. See Fig. 1(b). The objective is for 
the observers to agree on a "common" random variable as 
before, but now with the genie's assistance. This leads to a 
trade-off region trading-off the rates of the noiseless links and 
the resulting common information^ (or the resulting residual 
dependency). We characterize these trade-off regions and show 
that, in general, they exhibit non-trivial behavior, but reduce 
to the trivial behaviour discussed above when the rates of the 
noiseless links are zero. 

Our new measure has an immediate application to cryptog- 
raphy (Section III). Distributed random variables with non- 
trivial correlations form an important resource in the crypto- 
graphic task of secure multi-party computation. A fundamental 
problem here is for two parties to "securely generate" a 
certain pair of random variables, given another pair of random 
variables, by means of a protocol. We show that the region 
of residual dependency of the views of two parties engaged 
in such a protocol can only monotonically expand and not 
shrink. Thus, by comparing the regions for the target random 
variables and the given random variables, we obtain improved 
upperbounds on the efficiency with which one pair can be used 
to securely generate another pair. 



^ Hence, after removing the maximal such Q, the contribution to the com- 
mon information from X' and Y' is zero, even if they are highly correlated. 
Other approaches which do not necessarily suffer from this drawback have 
been suggested, notably [19], [1], [21]. 

^We use the term common information primarily to maintain continuity 
with [6]. 
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Fig. 1: Setup for (a) Gacs-Korner common information, and 
(b) assisted common information. 



II. Assisted Common Information Region 
A. Characterization 

We say that a rate pair i?2) enables a common infor- 
mation rate Rc\ if for every e > 0, there is a large enough 
integer n and (deterministic) functions fk : x ^ 
{1,...,2^^^'«+^)}, {k = 1,2), gi : A'^ x {1, . . . , 2^(^i+^)} ^ 
Z, and g2 : y X {1, . . . , _^ ^ (where Z is the set 

of integers) such that 

Pr (51 (X", MX", Y")) + 52(r", /2(X", F"))) < e, (1) 

-/(X",y";i,i(X",/i(X",r"))) > i?ci -e. (2) 

n 

We denote the closure of the set of all rate pairs which enable 
a common information rate i?ci by 7^ci(^ci)- We call this 
the rate-region for enabling a common information rate of 
i?ci- Note that the largest value of i?ci we need consider is 
i^(X, Y\ For larger values of i^ch '^ci(^ci) is clearly empty. 

Similarly, we define the rate-region 7^rd(^rd) for enabling 
a residual dependency rate of i^po as the closure of the set of 
all rate pairs which enable a residual dependency rate i^po, 
where the definition of what it means for a rate pair to enable 
a residual dependency rate i?pD is exactly as above except (2) 
is replaced by 



1 



We also define the following "single-letter" regions 

7^.cl(i?Cl) = {(J{y\ Q\X),I{X', Q\Y)) : /(X, y; Q) > i?ci} , 

(3) 

7^.RD(i?RD) = {(1{Y\ Q\X),I(X- Q\Y)) : /(X; Y\Q) < Rhd} • 

(4) 

Here Q is any random variable dependent on (X, F). 

The main result of this section is a characterization of the 
rate-regions defined above(proof is sketched in section II-F): 



(5) 
(6) 



Further, the cardinality of the alphabet Q of Q in (3)-(4) can 
be restricted to lA'l + 2. 



B. Behavior at Ri 
Korner [6] 



R2 



and Connection to Gdcs- 



As discussed in the introduction, Gacs-Korner showed that 
when there is no genie, the common information rate is zero 
unless X = (X^Q), Y = (y'^g), and H{Q) > 0. Since 
the absence of links from the genie is a more restrictive 
condition than zero-rate links from the genie, we can ask 
whether introducing an omniscient genie, but with zero-rate 
links to the observers, changes the conclusion of Gacs-Korner. 
The corollary below answers this question in the negative. Also 
note that the result of Gacs-Korner can be obtained as a simple 
consequence of this corollary. 

Let Rc\.o = sup {Rc\ : (0,0) G 7^cl(i^cl)}, and 
i^RD-o = inf {Rrd : (0,0) G 7^pD(i^RD)}. 



Corollary 2.2: Rc\.o > (or, i?pD-o < /(^; Y)) only if 
there are X^r^Q' such that X = {X',Q'), Y = {Y\Q'), 
Rc\-o = H{Q'), and i?pD-o = I{X',Y\Q'). 

Proof sketch.: We first observe that the only Q's allowed 
in (3) and (4) if the rate pair (0,0) is a member are such 
that I{Q;Y\X) = I{Q;X\Y) = 0. Thus, the joint p.m.f. of 
X, F, Q has the form 

p{x, y, q) = p{x, y)p{q\x) = p{x, y)p{q\y). 

Hence, for all {x,y) such that p{x,y) > 0, we must have 
p{q\x) = p{q\y), Vg. This implies that, if we consider the 
bipartite graph with vertices in X U y and an edge between 
X e ^ and y ^ y if and only if p{x, y) > 0, for all vertices 
in the same connected component, p(g'| vertex) is the same. 
Using this, and defining Q' to be the connected component to 
which X (or, equivalently Y) belongs, we can show that 

I{X,Y;Q) = I{Q';Q)<H{Q'), 

I{X- Y\Q) = H{Q'\Q) + I{X- Y\Q') > I{X; Y\Q'). 

If there is only one connected component, this implies that 
Rc\.o = and R^.q = I{X;Y). Hence, if Rc\.o > (or, 
^RD-o < H^'') Y)), more than one connected component must 
exist; moreover Rc\-o = H{Q') and i^po-o = I{X] Y\Q'). ■ 
Thus, at zero rates, common information exhibits trivial 
behavior. However, for positive rates, the behavior is, in gen- 
eral, non-trivial. Presently, we will demonstrate this through 
a few examples. But before that, we will show that Wyner's 
common information can also be obtained as a special case of 
our characterization. 
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Fig. 2: An achievable trade-off between Ri = R2 = R and Rc\ 
(also Rrd) for jointly Gaussian X, Y of unit variance and correlation 
p = 0.95. The trade-off is obtained by choosing Q in (3) and (4) to 
be the optimal jointly Gaussian choice. The optimal Rc\ is at least 
as much as shown and the optimal Rro is at most what is shown. 
Note that Rc\ is strictly positive for all R > 0. 
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Fig. 3: U^V are binary random variables with joint p.m.f. p(0, 0) = 
p(l,0) = l-2p, andp(0, 1) = 0. Boundary of 7^RD (0) 
for p = 1/3 is shown. The marked point is the minimum sum-rate 
point. 



C. Connection to Wyner's Common Information [19] 

Wyner offered an alternative definition for common infor- 
mation in [19]. Briefly, Wyner's common information is the 
"minimum binary rate of the common input to two inde- 
pendent processors that generate an approximation to X, F." 
From [19], Wyner's common information is 



yner 



inf/(X,r;/7), 



where the infimum is taken over U such that X — U — Y is 
a Markov chain. It is easy to show that Cwyner ^ H^'^^)- 
Wyner's common information can be obtained as a special 
case of our characterization: (proof omitted due to space 
constraints) 
Corollary 2.3: 



min Ri 

,i?2)G7^RD(0) 



R2 



D. Non-Trivial Behavior at Non-Zero Rates 



Example 2.1: Jointly Gaussian random variables. We con- 
sider jointly Gaussian^ X, Y each of unit variance and with 
correlation coefficient p. Let the rates of the links from the 
senie to the two observers be the same, R\ — R2 — -R. 

^While the discussion has been for discrete random variables, it extends 
directly to continuous random variables. 



Fig. 4: X,Y are dependent random variables whose joint p.m.f is 
shown. The solid lines each carry a probability mass of ^ and the 



lighter ones 

7^RD(o). 



\. In the plot, all points on the dotted lines belong to 



Figure 2 plots an achievable Rc\ and i^po by choosing Q in 
(3) and (4) to be the optimal jointly Gaussian choice (jointly 
Gaussian with X, F); i.e, the optimal Rc\ is at least as much 
as shown and the optimal i^po is at most what is shown. Note 
that i^ci = when R = consistent with Corollary 2.2, but 
Rc\ is strictly positive for all > 0. 

Example 2.2: A binary example. Figure 3 shows the joint 
p.m.f. of a pair of dependent binary random variables [/, V. 
The boundary of the rate region 7^pd(0) is plotted in Figure 3. 
This is the optimal trade-off of rates at which the genie can 
communicate with the observers so that they may produce a 
common random variable which can render their observations 
practically conditionally independent. 

Example 2.3: Figure 4 shows the joint p.m.f. of a pair of 
dependent random variables X, Y. When (5 = 0, they have the 
simple dependency structure of X = {X'^Q)^Y = (Y'^Q) 
where X'^Y'^Q are independent. This is the trivial case in the 
introduction, and the observers can each produce, without any 
assistance from the genie, Q which renders their observations 
conditionally independent. Thus, 7^pd(0) is the entire positive 
quadrant. For small values of S we intuitively expect the 
random variables to be "close" to this case. A measure such 
as the common information of Gacs and Komer fails to bring 
this out (common information is discontinuous in S jumping 
from H{Q) = 1 at (5 = to for ^ > 0). However, the 
intuition is borne out by our trade-off regions. For instance, 
for S = 0.05, Figure 4 shows that 7^pd(0) is nearly all of the 
positive quadrant. 

In Section III, we will use the characterization developed in 
this section to compare the pairs of random variables in the last 
two examples in a cryptographic context. See Example 3.1. 

E. Relationship between 1Zq,\ cmd T^po 

The residual dependency rate-region can be written in terms 
of the common information rate-region: (proof is omitted due 
to space constraints) 

Corollary 2.4: 

nHDiRRo) = {{Ri,R2) : 3(ri,r2) G SUaira) s.t. rci > 

I{X]Y) -i?RD +ri +r2,i?i > ri, and R2 > rs}, 



where 



can be shown using 



s.t. n < Ri,r2 < R2, and (ri,r2) / (i?i,i?2)}. 
Sketch of Proof of Theorem 2. 1 

Proof of achievability (7^^ 3 7^), which is based on Wyner- 
Ziv's source coding with side-information [20], is omitted in 
the interest of space. The cardinality bound can be shown 
using Caratheodory's theorem. 

To prove the converse, let e > and n, /i , /2 , ^1 , ^2 be such 
that (1) and (2) hold. Let Ck = //e(X^, F^), for /c = 1, 2, and 
Wi = gi{X^,Ci) and W2 = ^2(1^", C2). Then, 

Ri + e> -H{Ci) > -H{Ci\X'') > 

n n n 

> i/(y";m|x") 

n 

'■^ - f2HiY,\Xi)-H{Yi\Y'-\X",Wi) 

i=l 
n 

n ^-^ 

i—l 

^-^ n 

= /(Ij; Qj\Xj, J) I{Yj- Q\Xj), Q := (Qj, J), 

where (a) follows from the independence of (X^,y^) pairs 
across i. In (b), we define J to be a random variable uniformly 
distributed over {l,...,n} and independent of (X^^Y^Y 
And (c) follows from the independence of J and [X'^^Y'^). 
Similarly, 

R2 + e> -if(C2|y") > -if(H^2|y") 
n n 

> -HiWilX'') - -H(W2\Wi) 
n n 

(a) 

> HiWilX"") -Ke 

> -/(X";m|y") - A^e 
n 

> I{Xj;Q\Yj)-Ke, 

where (a) (with k, := 1 -\- log|A'||3^|) follows from Fano's 
inequality and the fact that the range of gi can be restricted 
without loss of generality to a set of cardinality lA'l^lJ^I^. 
And (b) can be shown along the same lines as the chain 
of inequalities which gave a lower bound for Ri above. 
Moreover, 

y"; Wi)^-y H{X,, y.) - H{X,, y,\Wi,x'-\y'-^) 

1 

n ^-^ 

i — l 

= I{Xj,Yj;Q). 

Since Xj^Yj has the same joint distribution as X, F, the 
converse (T^ci ^ ^★ci) for common information follows. Sim- 
ilarly, the converse (T^rd ^ '^★rd) for residual dependency 



n n ^-^ 

>-y^IiXi;Yi\Wi,X'-\Y'-') 

i = l 

= I{Xj;Yj\Q). 



III. Cryptographic Application 
A. Background 

Secure multi-party computation is a central problem in 
modem cryptography. Roughly, the goal of secure multi-party 
computation is to carry out computations on inputs distributed 
among two (or more) parties, so as to provide each of them 
with no more information than what their respective inputs 
and outputs reveal to them. Our focus in this section is on 
an important sub-class of such problems — which we shall 
call secure 2-party sampling — in which the computation has 
no inputs, but the outputs to the parties are required to be 
from a given joint distribution (and each party should not 
learn anything more than its part of the output). Also we shall 
restrict ourselves to the case of honest-but-curious adversaries. 
It is well-known (see for instance [18] and references therein) 
that very few distributions can be sampled from in this way, 
unless the computation is aided by a set up — some correlated 
random variables that are given to the parties at the beginning 
of the protocol. The set up itself will be from some distribution 
(X, F) (Alice gets X and Bob gets Y) which is different 
from the desired distribution ([/, V) (Alice getting U and Bob 
getting V). The fundamental question then is, which set ups 
(X, F) can be used to securely sample which distributions 
([/, F), and how efficiently. 

While the feasibility question can be answered using com- 
binatorial analysis (as, for instance, was done in [12]), in- 
formation theoretic tools have been put to good use to show 
bounds on efficiency of protocols (e.g. [2], [5], [15], [10], 
[17], [7], [4], [14]). Our work continues on this vein of 
using information theory to formulate and answer efficiency 
questions in cryptography. Specifically, the quantities explored 
in the previous section lead to effective tools in providing new 
and improved upper-bounds on the rate at which samples from 
a distribution ([/, V) can be securely generated, per sample 
drawn from a set up distribution (X, Y). Below we sketch the 
outline of this application, which is further developed in [13]. 

a) Secure Protocols: A two-party protocol 11 is specified 
by a pair of (possibly randomized) functions TTAUce and TTBob, 
that are used by each party to operate on its current state W 
to produce a message m (that is sent to the other party) and 
a new state W for itself. The initial state of the parties may 
consist of correlated random variables (X, F), with Alice's 
state being X and Bob's state being Y\ such a pair is 
called a set up for the protocol. The protocol proceeds by 
the parties taking turns to apply their respective functions to 
their state, and sending the resulting message to the other 



party; this message is added to the state of the other party. 
TTAiice and TTBob also Specify when the protocol terminates 
and produces output (instead of producing the next message 
in the protocol). A protocol is considered valid only if both 
parties terminate in a finite number of rounds (with probability 
1). The view of a party in an execution of the protocol is 
a random variable which is defined as the collection of its 
states so far in the protocol execution. For a valid protocol 
n = (TTAiice, TTBob). wc shall dcnotc the final views of the two 
parties as (nXfi^^(X, F), n™(X, F)). Also, we shall denote 
the outputs as (n-^,jX, F), n-^^, 

For a protocol 11 to be a secure realization of (U^V) given a 
set up (X, Y), firstly, the outputs (IIZUX, Y), Il<^^^{X, Y)) 
must be identically distributed as (U^V). Secondly, if either 
Alice or Bob is "curious" (or "passively corrupt"), the protocol 
should give that party no more information about the other 
party's output than what their own output provides. This 
is formalized using a simulatability requirement. In case of 
information theoretic security (as opposed to computational 
security) these can be stated in terms of independence of the 
view, given one's own output. Formally these three require- 
ments can be stated as follows:"^ 

{UZL{X,Y),U%^^{X,Y)) = {U,V) 

(x, Y) o nx}L(^, y) ^ n^K^, y) 



TTVieW 

^^Alice 



nxjL(x, Y) o ngl(x, Y) o ntlZix, y) 

B. Towards Measuring Cryptographic Content 

In [17] three information theoretic quantities were used 
to quantify the cryptographic content of a pair of correlated 
random variables X and F, which we shall rephrase as below: 



H{Y\X\X) = 
H{X\Y\Y) = 
I{X;Y\X AY) = 



min H{Q\X) 

Q:HiQ\Y)=IiX;Y\Q)=0 

min H(Q\Y) 

Q:H{Q\X)=I{X;Y\Q)=0 

min /(X;F|Q) 

Q:HiQ\X)=HiQ\Y)=0 



As shown in [17], these quantities are "monotones" that 
can only decrease in a protocol, and if the protocol securely 
realizes a pair of correlated random variables ([/, V) using a 
set up (X, F), then each of these quantities should be at least 
as large for (X, F) as for (U^V). While these quantities do 
capture several interesting cryptographic properties, they paint 
a partial picture. For instance, two pairs of correlated random 
variables (X, F) and (X', Y') may have vastly different values 
for these quantities, even if they are statistically close to each 
other, and hence have similar "cryptographic content." 

Instead, we shall consider the triplet K[X;Y\Q] defined as 



K[X;F|i 



(/(Q;F|X),/(Q;X|F),/(X;F|Q)), 



^For simplicity, we state the conditions for "perfect security." Our defini- 
tions and results generalize to the setting of "statistical security," where a 
small statistical error is allowed. 



for an arbitrary random variable Q. By considering all random 
variables Q we define the region^ 

K{X;Y):={{x,y,z) : 3Q s.t K[X;Y\Q] < {x,y, z)}. 

This generalizes the three quantities considered in [17], as 
(using arguments similar to that used for Corollary 2.2) it can 
be shown that the region IK(X; F) C R+ intersects the co- 
ordinate axes at the points {H{Y \ X|X), 0, 0), (0, H{X \ 
F|F),0), and (0, 0, /(X; F|X AF). In the following sections 
we point out that K also satisfies a monotonicity property: 
the region can only expand in a protocol, and if the protocol 
securely realizes a pair of correlated random variables (/7, V) 
using a set up (X, F), then IK(X; F) should be smaller than 
K{U;V). As we shall see, since the region IK(X;F) has a 
non-trivial shape (see for instance. Example 2.2), K can yield 
much better bounds on the rate than just considering the axis 
intercepts; in particular K can differentiate between pairs of 
correlated random variables that have the same axis intercepts. 
Further IK(X; F) is continuous as a function of (X, F), and 
as such one can derive bounds on rate that are applicable to 
statistical security as well as perfect security. 

C. Monotone Regions for 2-Party Secure Protocols 

Given a pair of random variables (X, F) denoting the views 
of the two parties in a 2-party protocol we are interested in 
capturing the "cryptographic content" of this pair. We shall 
do so by defining a region in multi-dimensional real space, 
that intuitively, consists of witnesses of "weakness" in the 
cryptographic nature of the random variables (X, F); thus 
smaller this region, the more cryptographically useful the 
variables are. The region has a monotonicity property: a secure 
protocol that involves only communication (over noiseless 
links) and local computations (i.e., without using trusted third 
parties) can only enlarge the region. 

Our definition of a monotone region from [13] given below, 
strictly generalizes that suggested by [17]. The monotone in 
[17], which is a single real number m, can be interpreted as 
a one-dimensional region [m, oo) to fit our definition. (Note 
that a decrease in the value of m corresponds to the region 
[m, oo) enlarging.) 

Definition 3.1: We will call a function M that maps a pair 
of random variables X and F, to an upward closed subset^ of 
(points in the d-dimensional real space with non-negative 
co-ordinates) a monotone region if it satisfies the following 
properties: 

1) (Local computation cannot shrink it.) For all random 
variables (X, F, Z) with X ^ F ^ Z, we have 
M(XF; Z) D M(F; Z) and M(X; YZ) D M(X; F). 

2) (Communication cannot shrink it.) For all random vari- 
ables (X, F) and functions / (over the support of 

^Here < stands for coordinate-wise comparison. Note that K(X] Y) is 
equivalent to {(7^^RD(^RD), ^Rd) : ^RD ^ [0, ^(-^; ^)]}- We use this 
notation to make the dependence on X and Y explicit. 

subset M of is called upward closed if a G M and > a (i.e., 
each co-ordinate of a^ is no less than that of a) implies that a' G M. 



X or F), we have M{X',Yf{X)) D M{X;Y) and 
M{Xf{Y);Y) D M{X;Y). 

3) (Securely derived outputs do not have smaller regions.) 
For all random variables (X, [/, F) with X ^ 
[/ ^ F and ^ V ^ r, we have M(/7; V) 3 
M(X/7;y'V). 

4) {Cryptographic content in independent pairs add up.) 
For independent pairs of random variables (Xq, Yq) and 

we have M{X^X^',Y^Y^) = M{Xo;Yo) + 
M(Xi; Yi), where the + sign denotes Minkowski sum. 
That is, M{XoXi',YoYi) = {rq + ai | ao G 
M(Xo;lo) andai e M(Xi;yi)}. (Here addition de- 
notes coordinate- wise addition.) 
Note that since M(Xo; Yq) and M(Xi; Yi) have non-negative 
co-ordinates and are upward closed, M(Xo; Yq) + M(Xi; Yi) 
is smaller than both of them. This is consistent with the 
intuition that more cryptographic content (as would be the case 
with having more independent copies of the random variables) 
corresponds to a smaller region. 

D. K as a Monotone Region. 

In [13] we prove the theorem below, and obtain the follow- 
ing corollary. 

Theorem 3.1: K is a monotone region as defined in Defi- 
nition 3.1. 

Corollary 3.2: If ni independent copies of a pair of corre- 
lated random variables ([/, V) can be securely realized from 
n2 independent copies of a pair of correlated random variables 
(X,y), then niK{X;Y) C n2K{U;V). (Here multiplication 
by an integer n refers to n-times repeated Minkowski sum.) 

Intuitively, K{X;Y) captures the cryptographic content 
of the correlated random variables (X, F): the farther it is 
from the origin, the more cryptographic content it has. In 
particular, if IK(X; Y) contains the origin, then (X, Y) is 
cryptographically "trivial," in the sense that (X, F) can be 
securely realized with no set ups. This triviality property can 
be inferred from the three quantities considered by [17] as 
well, since those quantities correspond to the axis intercepts 
of our monotone region. However, what makes the monotone 
region more interesting is when the pair of correlated random 
variables is non-trivial, as illustrated in the following example. 

Example 3.1: Consider the question of securely realizing 
ni independent pairs of random variables distributed according 
to ([/, V) in Example 2.2 from n2 independent pairs of (X, Y) 
in Example 2.3. While the monotones in [17] will give a lower- 
bound of 0.5182 on n2/ni, we show that 7x2/ ni > 1.8161. 
(For this we use the intersection of IK([/; V) with the plane 
z = (Figure 3) and one point in the region IK(X; Y) (marked 
in Figure 4), and apply Corollary 3.2.) 

Hence, the axis intercepts of this monotone region (one of 
which is the common information of Gacs and Korner) do not 
by themselves capture subtle characteristics of correlation that 
are reflected in the shape of the monotone region. As discussed 
in [13], IK(X;F) is a convex region, and for a fixed set of 
axis intercepts, the cryptographic quality of a pair of random 
variables is reflected in how little it bulges towards the origin. 



We leave as an open question whether our bound is indeed 
tight. 
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